Jun Kudo

@jkudo

How to VPN connect between Azure and AWS with Managed Services.

Introduction

2019/2/6 IKEv2 compatible news came in at AWS with Site to Site VPN.

AWS Site-to-Site VPN Now Supports IKEv2
https://aws.amazon.com/about-aws/whats-new/2019/02/aws-site-to-site-vpn-now-supports-ikev2/

The point when connecting Azure and AWS was that AWS only supported IKEv1.
This time, it became possible to realize two-way connection by supporting IKEv2.

However, there are notes.
BGP can not be used (it may be possible depending on settings).

The connection configuration diagram is as follows.

The procedure is as follows.
Azure side
1, Create virtual network
2, Create gateway subnet
3, creation of public IP
4, Create virtual network gateway

AWS side
5, creation of VPC
6, Create subnet
7, Create Internet gateway (optional)
8, create the customer gateway statically
9, Creating Virtual Private Gateway
10, create a VPN connection statically
11, download the configuration file

Azure side
12, Create a local network gateway
13, Create connection

AWS side
14, add a virtual private gateway to the routing table

option
Azure side
15 Setting up two connections

Below, we will explain in Step by Step.

1, Create virtual network

Create virtual network.
The segment on the Azure side is 10.0.0.0/16.

2, Create gateway subnet

Create a gateway subnet.
Open the subnet from the virtual network screen and click on the gateway subnet to create it.

Create a subnet created in 1 with another CIDR.

Confirm that it was created.

3, creation of public IP

Create a public IP.

4, Create virtual network gateway

Create a virtual network gateway.

5, creation of VPC

Create VPC.
The segment on the AWS side is 192.168.0.0/16.

6, Create subnet

Create a subnet.

7, Create Internet gateway (optional)

Create Internet gateway (optional).

Attach the Internet gateway to the VPC.

Specify the Internet gateway at 0.0.0.0/0 in the route table.

8, create the customer gateway statically

Check the IP address from Azure’s virtual network gateway.

Create the customer gateway statically. Enter the IP address confirmed in the previous section in the IP address.

9, Creating Virtual Private Gateway

Create Virtual Private Gateway.

10, create a VPN connection statically

Create a VPN connection statically. Add the subnet on the Azure side to the prefix.

11, download the configuration file

Download the configuration file. It is Generic to choose.

Check the following.
IPSec Tunnel # 1
Pre-Shared Key
Outside IP Addresses:
-Virtual Private Gateway

12, Create a local network gateway

Create a local network gateway.
For the IP address, set the above-identified IP address (Virtual Private Gateway).
In the address space, enter the VPC segment on the AWS side.

13, Create connection

Add from virtual network gateway connection.

Enter the confirmed common key (Pre-Shared Key).

Confirm that it is connected.

14, add a virtual private gateway to the routing table

Add a virtual private gateway to the routing table.

15 Setting up two connections

Create a local network gateway separately.
At this time, check the IPSec Tunnel # 2 of the downloaded file and enter it.
After creation, specify the local network gateway you created and create a connection.

By setting up two connections, communication continues even if one connection expires to some time signature.

Communication confirmation

Azure, AWS to confirm that you can communicate with each other.

All of the work is completed with this.

Throughput

I roughly measured the throughput using iperf.

Azure:Standard D2s v3 (2 vcpu、8 GB memory)
AWS:m5.large (2 vcpu 、8 GB memory)

Azure→AWS

------------------------------------------------------------
Client connecting to 192.168.0.5, TCP port 5001
TCP window size: 45.0 KByte (default)
------------------------------------------------------------
[ 3] local 10.0.0.4 port 51160 connected with 192.168.0.5 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 659 MBytes 553 Mbits/sec

AWS→Azure

------------------------------------------------------------
Client connecting to 10.0.0.4, TCP port 5001
TCP window size: 45.0 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.0.5 port 50116 connected with 10.0.0.4 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 759 MBytes 636 Mbits/sec

I wonder if it is usually faster than a leased line service.

Summary

I was able to confirm that AWS can directly connect with Azure by supporting IKEv2.
Until now, it was necessary to prepare a Windows server etc. to VPN Azure and AWS.
There is no necessity of setting up a virtual machine by enabling VPN to be established only by the managed service,
The need to manage has been reduced, so that we do not care about operation almost.
I believe that Azure and AWS can be connected in a mutually managed environment so that it can be used for various purposes in the future.
I think that Azure is good at Azure, AWS is good at using AWS, DR for use and I think that there are many useful values.
In addition, multi cloud will proceed! !

I am very happy because it was a feature I wanted for years ago!

Original Content (Japanese) : http://level69.net/archives/26362

More by Jun Kudo

Topics of interest

More Related Stories